Canadian to receive FBI award for uncovering massive botnet scheme

Chris Davis helped bring down one of the largest networks of hijacked computers ever uncovered — more than 15 million PCs in virtually every country and many major corporations, including most of the Canadian banks

Chris Davis helped bring down one of the largest networks of hijacked computers ever uncovered — more than 15 million PCs in virtually every country and many major corporations, including most of the Canadian banks.

For his troubles, the B.C.-born computer security expert is set to be recognized by the Federal Bureau of Investigation, which played a lead role in the investigation and subsequent prosecution of the three men — two Spaniards and a Slovenian — who masterminded the scheme, one of the world’s largest-ever so-called botnets.

Mr. Davis is likely the only Canadian and one of the few non-FBI employees to receive an FBI Director’s Award.

“The Director’s Awards are the highest honour employees may receive, and they recognize outstanding contributions and exceptional service to the FBI and its mission,” the agency said in an emailed statement. “The Butterfly Botnet investigative team involved foreign law enforcement and private sector partners; their efforts were critical to the success of the investigation.”

The presentation will take place in the fall.

Botnets are always a threat, but the one Mr. Davis discovered in 2009 was particularly malicious, set up to steal passwords, credit card numbers and other personal data and secretly funnel it back to the criminals running the scheme.

In this case, the malware was created by an IT specialist at a telecom company — his day job — in Slovenia, who then sold copies for the equivalent of about a thousand dollars.

His customers, would-be cybercriminals, could then begin using the product to infect and hijack other computers over the Internet.

“The stuff was very sophisticated,” Mr. Davis said in a telephone interview. “When they arrested the guys in Spain, the police recovered, like, millions of stolen credit card numbers. They were supposed to be unemployed, but they had nice apartments, new cars, flat-screen TVs. I mean, they were high school dropouts. One of them, when he went on vacation, he chartered a yacht.”

When police bring down botnets, they typically charge the middlemen, the guys who bought the malware, but fail to get the real criminal, the malware author, for lack of evidence. This time was different, thanks to Mr. Davis and a group of like-minded security officials at other organizations who worked with law enforcement officials to tease out details of the scheme.

Two years ago police in Slovenia charged Dejan Janžekovic, a former computer technology student in his early 20s, with computer crime.

I started to dig into where the [traffic to the malware sites] was coming from and I noticed that it was coming from all over the world

He was granted bail but, surprisingly, as soon as he was free he went right back to selling his malware kits. So the police re-arrested him. This time they took a firmer approach.

“The FBI had a guy who came along and the story is that a Slovenian cop showed up dressed in riot gear with a ladder over his shoulder. He puts the ladder up to the back of the guy’s apartment, climbs up, throws a flash-bang into the room, climbs back down and disappears with his ladder.”

The suspect was so surprised he forgot to log off when the police burst in.

At the time Mr. Davis was running a start-up computer security firm based in Ottawa called Defence Intelligence. He had been looking into Internet traffic, specifically connections to sites he suspected were associated with what he later figured out were the criminals in charge of the botnet.

“I started to dig into where the [traffic to the malware sites] was coming from and I noticed that it was coming from all over the world. I saw queries from Canadian banks, Canadian government departments, from U.S. government departments, from the U.N. You know, all over the place.”

It seemed like a good idea to contact some of the companies that had been victimized. “We had our people call up and say, we’re not trying to sell you anything, this isn’t a crank call. You have a compromised computer and here’s how to fix it,” Mr. Davis said.

But instead of gratitude, often they were met by hostility and disbelief. “It was pretty frustrating,” he acknowledged.

The Canadian Bankers Association acknowledged at the time that while the malware might have found its way onto computers within the big banks, no customer data had been stolen or compromised.

As recently as three years ago, such malware was mostly focused on stealing personal information rather than corporate data. As such, the consequences weren’t necessarily so severe for companies. But the bad guys have upped their game, according to Mr. Davis, and as a result that has changed.

Mr. Davis is currently director of partnerships at CrowdStrike, a computer security firm based in Irvine, Ca.